An Indian Security researcher Piyush Malik has discovered an Expression Language(EL) Injection security flaw in Zong, a subsidiary of Paypal.Sponsored LinksAccording toOWASP, EL Injection is a vulnerability that allows hacker to control data passed to the EL Interpreter. In some cases, itallows attackers to execute arbitrary code on the server.Researcher Malik said in his blog that Zong wasrunning an outdated version of Clearspace(Nowknown as Jive software) on a subdomain."Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug." Malik explained in hisblog.He found two forms in the site which are vulnerable to this bug. He was able to performsome arithmetic operations using the vulnerable field.One of the vulnerable urls:https://clearspace.zong.com/login!input.jspa?unauth=${custom command here}An attacker can inject a Express Language command on the 'unauth' field which will be executed in the server. In his demo, researcher inject an arithmetic command(https://clearspace.zong.com/login!input.jspa?unauth=${100*3}) and able to executed it.Paypal has offered some bounty amount for his finding. Researcher didn't disclose the bounty amount.About EL Injection vulnerability is first documented by security researchers from Minded Security in 2011. You can find the document here:https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf